This skills to be tested and needed to solve the final task of this walkthrough room are: reverse shell, Burp Suite, upload vulnerability, and client-side bypass extension filtering.
I am not writing a walkthrough for all the tasks because this is a “walkthrough” room. The only part that the creator wouldn’t hold your hand to get through the tasks is Tasks 11: Challenge. Shoutout to @MuirlandOracle for creating the room. You can access the room at https://tryhackme.com/room/uploadvulns
I was assigned a target IP address of 10.10.82.178. You will be assigned a different IP address. And if you did the tasks before the challenge task, then you know that you have to add your assigned IP address to the hosts file.
The final challenge is:
- Hack the machine and grab the flag from /var/www
- Visit the page by opening a web browser and type jewel.uploadvulns.thm
3. There are three things that the script checks for the file upload to be successful. For this task, we will work on the “Magic Number“
6. Delete the highlighted entry and hit OK:
7. Before we continue with exploiting the upload vulnerability, let’s check something else so we don’t have to guess which one is the reverse shell file that we will upload later. There will be pre-existing files with the same .jpg extension, and if you don’t know which one is your file, you will have to check each of the files to figure out which is yours. Right-click on the page and click Inspect Element.
8. Click on Style Editor and scroll all the way down to see the pre-existing files:
- Now, when you enumerate later to figure out which on is your file, you just have to compare the files from your enumeration to the list above.
9. This step is important so you don’t get the “Module does not exist” error when you trigger your reverse shell. You will have to clear your browser’s cached web content:
10. Now, time to turn on proxy on your browser, and make sure intercept is on on your Burp Suite.
11. Hit refresh on your browser then go to Burp Suite’s Intercept tab. Click Forward, until you reach the “upload” request script, then right-click on the empty space on Burp and click “Do intercept > Response to this request“
12. Click forward until you see the response from the server. Comment out the “Check Magic Number” by adding two forward slashes at the beginning of each line until the closing curly bracket:
13. Keep hitting “forward” until you don’t see any request to forward to the server anymore:
- Compare the images above. The first image is after we went through all of the previous steps involving Burp Suite to bypass client-side filtering.
15. Let us upload the reverse shell that we created in Step 4:
- The image above tells us that we have successfully bypassed the magic number filtering. If we did not disable the filter, our upload would have been unsuccessful because the filter will look for the file signatures for a jpg/jpeg files. Below is an image of a jpg/jpeg file signature:
16. Let’s enumerate the jewel.uploadvulns.thm/content to find our uploaded reverse shell. Type gobuster dir -u https://jewel.uploadvulns.thm/content -w UploadVulnsWordlist.txt -x jpg
- dir – to use directory/file brute-forcing mode
- -u – is the flag to tell gobuster that we are scanning a URL
- -w – is the flag to set the list of possible directory and file names
- -x – is the flag to just search for a specific file extension
- If you compare the image above to the one in Step 8, we can see that the file TRD.jpg was a new entry, meaning that was the reverse shell that we uploaded.
17. Start a netcat listener from your attack machine by typing nc -nlvp 8888 and make sure to match the port number of your listener to the port number you used in your reverse shell script.
18. Go to the admin page to execute our reverse shell. Open a browser and type jewel.uploadvulns.thm/admin and hit enter
19. Type ../content/TRD.jpg in the field and hit enter, then go back to the netcat listener that you set up to check if you got a shell:
20. Hack the machine and grab the flag from /var/www:
I hope this will help my fellow learners who are struggling with completing this challenge.
Please don’t forget to subscribe to my blog to get updates when new blog entry is uploaded.